Data Types Reference

Complete reference for all shared data structures, enumerations, and constants used across the kernel driver, monitor, and scanner components.

Related: Kernel โ†” User Interface ยท Scanner API

1. Type Ownership Map

flowchart TB
    subgraph Headers["Header Files"]
        Common["FsMinifilterCommon.h\n(Kernel โ†” Monitor)"]
        Shared["ScannerShared.h\n(Monitor โ†” Scanner)"]
        ScanAPI["scanner_api.h\n(Scanner internal)"]
        PEH["pe_parser.h\n(Scanner internal)"]
        FeatH["features.h\n(Scanner internal)"]
        DriverH["FsMinifilter.h\n(Kernel internal)"]
    end

    subgraph Consumers
        K["Kernel Driver"]
        M["Monitor"]
        S["Scanner"]
    end

    Common --> K
    Common --> M
    Shared --> M
    Shared --> S
    ScanAPI --> S
    PEH --> S
    FeatH --> S
    DriverH --> K

    style Headers fill:#4361ee,color:#fff

2. Shared Types: FsMinifilterCommon.h

Used by: Kernel Driver and Monitor

Constants

Name Value Description
MINIFILTER_PORT_NAME L"\\FsMinifilterPort" NT object path for the filter communication port
MAX_FILE_PATH_LENGTH 520 Maximum characters in FilePath field (WCHARs)

Message Type Constants

Name Value Description
MSG_TYPE_FILE_CREATE 1 File/directory was created or opened
MSG_TYPE_FILE_READ 2 File data was read
MSG_TYPE_FILE_MODIFY 3 File data was written/modified
MSG_TYPE_FILE_DELETE 4 File was deleted

MINIFILTER_MESSAGE

The core message sent from the kernel driver to the user-mode monitor.

classDiagram
    class MINIFILTER_MESSAGE {
        +ULONG MessageType
        +ULONG ProcessId
        +WCHAR FilePath[520]
    }
Field Type Size Description
MessageType ULONG 4 bytes One of MSG_TYPE_* constants
ProcessId ULONG 4 bytes PID of the process that initiated the I/O operation
FilePath WCHAR[520] 1040 bytes Null-terminated file path in NT format

Total struct size: 1048 bytes

3. Shared Types: ScannerShared.h

Used by: Monitor and Scanner

Constants

Name Value Description
MAX_PATH_LEN 260 Maximum characters in scan request file path

SCAN_REQUEST

Scan request sent from the monitor to the scanner via named pipe.

classDiagram
    class SCAN_REQUEST {
        +WCHAR filePath[260]
        +DWORD pid
        +FILETIME timestamp
    }
Field Type Size Description
filePath WCHAR[260] 520 bytes Null-terminated file path (copied from MINIFILTER_MESSAGE.FilePath)
pid DWORD 4 bytes Process ID (copied from MINIFILTER_MESSAGE.ProcessId)
timestamp FILETIME 8 bytes Timestamp set by monitor via GetSystemTimeAsFileTime()

Total struct size: ~532 bytes (with padding)

4. Scanner Types: scanner_api.h

Used by: Scanner (internal)

SCAN_RESULT

classDiagram
    class SCAN_RESULT {
        <<enumeration>>
        SCAN_CLEAN = 0
        SCAN_SUSPICIOUS = 1
        SCAN_MALICIOUS = 2
        SCAN_ERROR = 3
    }
Value Name Description Currently Used
0 SCAN_CLEAN File is benign Yes
1 SCAN_SUSPICIOUS Suspicious but not confirmed Reserved
2 SCAN_MALICIOUS Classified as malware Yes
3 SCAN_ERROR Analysis error Reserved

SCAN_MODE

classDiagram
    class SCAN_MODE {
        <<enumeration>>
        SCAN_FULL = 1
        SCAN_SINGLE = 2
    }
Value Name Description
1 SCAN_FULL Pipe server mode (receives from monitor)
2 SCAN_SINGLE Interactive single-file scan mode

5. PE Parser Types: pe_parser.h

Used by: Scanner (internal)

ParsedFile

Output structure from SafeParsePE / SafeParsePE_SEH.

classDiagram
    class ParsedFile {
        +bool is64Bit
        +DWORD sectionCount
        +DWORD importCount
        +DWORD textSize
        +float textEntropy
        +vector~BYTE~ textOpcodes
    }
Field Type Default Description
is64Bit bool false Whether PE is 64-bit (IMAGE_NT_OPTIONAL_HDR64_MAGIC)
sectionCount DWORD 0 Number of sections in the PE
importCount DWORD 0 Number of imported DLLs
textSize DWORD 0 Size of the highest-entropy section in bytes
textEntropy float 0.0f Shannon entropy of the highest-entropy section
textOpcodes vector<BYTE> empty First 4096 bytes of the highest-entropy section

PEParser Class

Member Access Description
m_fileData private Raw file data buffer
m_fileSize private Size of file data
m_is64Bit private PE bitness
m_sections private Parsed section headers
m_importCount private Import DLL count

6. Feature Types: features.h

Used by: Scanner (internal)

FeatureVector

classDiagram
    class FeatureVector {
        +float entropy
        +int importCount
    }
Field Type Range Description
entropy float 0.0 โ€“ 8.0 Shannon entropy from ParsedFile.textEntropy
importCount int 0 โ€“ unlimited Import count from ParsedFile.importCount

7. Kernel-Internal Types: FsMinifilter.h

Used by: Kernel Driver only

FS_STREAM_CONTEXT

classDiagram
    class FS_STREAM_CONTEXT {
        +volatile LONG NumOps
        +volatile LONG IsNotified
        +BOOLEAN SetDisp
        +BOOLEAN DeleteOnClose
    }
Field Type Description
NumOps volatile LONG Count of in-flight SetDisposition operations (for race detection)
IsNotified volatile LONG 1 if delete notification already sent (exactly-once semantics)
SetDisp BOOLEAN Current delete disposition state
DeleteOnClose BOOLEAN Whether file was opened with FILE_DELETE_ON_CLOSE

Pool Tag: 'xSsF' (FS_STREAM_CONTEXT_POOL_TAG)

Monitor-Side Wrapper: FILTER_MESSAGE

classDiagram
    class FILTER_MESSAGE {
        +FILTER_MESSAGE_HEADER Header
        +MINIFILTER_MESSAGE Message
    }

Defined in FsMinifilterMonitor/main.cpp. Wraps the kernel MINIFILTER_MESSAGE with the Filter Manager-provided FILTER_MESSAGE_HEADER.

8. Constants Summary

Constant Value Defined In Scope
MINIFILTER_PORT_NAME L"\\FsMinifilterPort" FsMinifilterCommon.h Kernel + Monitor
MAX_FILE_PATH_LENGTH 520 FsMinifilterCommon.h Kernel + Monitor
MAX_PATH_LEN 260 ScannerShared.h Monitor + Scanner
PIPE_NAME L"\\\\.\\pipe\\ScannerPipe" scanner.cpp / main.cpp Monitor + Scanner
MAX_QUEUE_SIZE 10000 queue.cpp Scanner
DEDUP_COOLDOWN_MS 5000 FsMinifilterMonitor/main.cpp Monitor
FS_STREAM_CONTEXT_POOL_TAG 'xSsF' FsMinifilter.h Kernel
FS_STRING_POOL_TAG 'rSsF' FsMinifilter.h Kernel

Next Steps